NIST Updates Password Security Guidelines: $t0P d0!Ng Th!$


NIST Updates Password Security Guidelines: $t0P d0!Ng Th!$

To those who think Th!$ i$ Th3 b3$t w4y t0 wr!t3 a P@$$w0rd, think again. The National Institute of Standards and Technology (NIST) has recently published new guidelines on password security, revising the old rules and deeming them counterproductive to personal security purposes.

Paul Grassi, NIST Senior Standards and Technology Adviser, said in an interview with NPR, “The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users.”

Previously, the NIST password security guidelines suggested a combination of lower- and uppercase letters, numbers, and special characters to constitute a strong password. The author of said password primer published in 2003, Bill Burr, recently told The Wall Street Journal that he now disagrees with his original recommendation.

The update on the password guidelines contained within NIST Special Publication 800-63B (Digital Entity Guidelines) discusses the increased security risk of highly complex passwords. “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets.”

The guidelines no longer propose a mix of letters, numbers, and special characters. Instead, the publication suggests long phrases in English, typed entirely in lowercase letters.

Additionally, previous password security guidelines also indicated a change in password every 90 days, but the new rules seem to revoke this practice, as Engadget reports that NIST is recommending a password change only in the event of a security breach. The new guide also mentions that passwords need not expire for them to continue to maintain security.

MetroStar’s Director of Cybersecurity Clay Calvert analyzed the ratio of passphrases (a string of typical English words written in lowercase) and passwords (a combination of characters, including letters, numbers, and symbols) to compare their strength and determine the best approach to password security.

In the table below, the first column contains the number of words or letters. The second shows the number of possible combinations for 1 through 20 words in a passphrase, while the third shows the same for characters.

a table showing possible combinations for 1 through 20 words in a passphrase

Calvert suggests that based on mathematical computations, a 12-character password is equivalent to the strength of a passphrase with at least five words. Similarly, to achieve the strength of a 20-character password, one would need an eight-word passphrase.

"In short, just using passphrases alone could be a fine alternative to using passwords, but there will be a lot more typing every time authentication is needed,” Calvert notes. “I would recommend using at least five words in a passphrase. Including non-alphanumeric characters—that are easy for you to remember, of course—makes it much harder for threats to guess.”

In concurrence with NIST’s new recommendations, Calvert comments that not requiring a regular password change may ultimately beneficial to the organization. “One agency I worked for had over 9,000 tickets a year just to reset forgotten passwords.  The cost associated with lost productivity and IT support time could be measured in millions of dollars.  Not only are regular user accounts impacted, but service accounts running on servers are required to be changed with the same frequency.  Many times, there has been a self-inflicted denial of service in the name of security.”

In addition to password security, Calvert urges agencies and other organizations to remember three tenets of information security:

  • Confidentiality (that only the ones who are supposed to see the data can access it)
  • Integrity (that data has not been maliciously changed)
  • Availability (that those who need the data can get to it)

Calvert concludes, “Availability often takes a backseat to the other two, but this new recommendation from NIST—making password creation easier for users—changes that.”

Work with us to adopt the best cybersecurity practices.

contact us